Lords questions gov't over web-data retention laws

The House of Lords has questioned the government as to how it intends to implement EU legislation on internet-data retention.

The Earl of Northesk asked the government on Friday how it intends to make it law for internet service providers (ISPs) to retain internet-traffic data.

"Earl of Northesk to ask Her Majesty's Government... how they intend to give legal force to these elements of the directive?" wrote the Earl in a question to parliament.

Under the European Data Retention Directive, ISPs in the UK will be legally obliged to retain all traffic data for up to two years, and must be able to efficiently respond to requests for that data from law-enforcement and intelligence services. The directive is currently being incorporated into the Communications Data Bill.

Under the Anti-Terrorism, Crime and Security Act, passed in 2001 following the attacks on the US World Trade Center, ISPs could voluntarily retain data for law-enforcement use. The Communications Data Bill will legally require ISPs to retain that traffic data.

Cambridge University security expert Richard Clayton said that the manner in which the government decides to implement the directive will have far-reaching effects on ISPs.

"Let's be clear; the directive is extremely vague," said Clayton. "It's an interesting question about how expensive it might be. It completely depends what is proposed. For example, 80 percent of email is spam. If that is rejected by the server, do you still need to record the source and destination?"

Clayton said that the retention equipment would need "to be resilient to survive individual disc failures, the equipment has to last, and it would be nice if it didn't consume too much power." He added that storage would also have to be state-of-the-art. "Don't get carried away by cheap storage," said Clayton. "If the disc fails, you could get prosecuted."

Clayton said that it was unclear whether the government would fund the costs of new equipment and engineers required by law for ISPs to retain and discover data.

The Internet Services Providers' Association (ISPA) declined to comment about the potential expense to its members, but said that it is in communication with the Home Office about the Communications Data Bill.

"ISPA has been in touch with the Home Office and is waiting for further information about the proposed Communications Data Bill. In particular, we want to know more about the government's intentions regarding 'modifying the procedures for acquiring communications data'. As the government plans to publish this Bill in draft for pre-legislative scrutiny later this year, ISPA is looking forward to participating fully in the consultation process."

The Home Office had not responded to a request for comment at the time of writing.

Richard Clayton explained that, under the programme, the government would require ISPs and telecommunications companies to fit traffic-inspection devices into their systems, so government and law-enforcement bodies could monitor data.

"The proposal is to keep all of that data on a centralised database rather than with telcos, plus the suggestion that ISPs fit deep packet inspection boxes that would allow [the government] to snoop on any communications they want to," said Clayton, who added that he had concerns over expense and privacy.

"I think it's a complete waste of money," said Clayton. "I don't know what the cost would be, but it sounds like a flight of fancy from the people in the West Country [GCHQ] as to how a modern state should be run. They think that, if they monitor everything, they can make the world a safe democracy, but we seem to have lasted many years without putting microphones in every house in the land."